Medicare Accounts Data Breach

• By: Maureen Carland
• On: 07/07/2025 09:07:59
• In: Quality/Regulatory

The Centers for Medicare & Medicaid Services (CMS) is notifying approximately 103,000 Medicare beneficiaries whose personal information may have been involved in a data security incident affecting Medicare.gov accounts. The breach, discovered in May 2025, involved unauthorized creation of online beneficiary accounts using personal information obtained from unknown external sources.

CMS first became aware of the issue on May 2, 2025, when its 1-800-MEDICARE call center began receiving inquiries from beneficiaries who received confirmation letters for Medicare.gov accounts they had not created. A prompt investigation revealed that malicious actors had fraudulently established accounts between 2023 and 2025 using valid beneficiary data, including Medicare Beneficiary Identifiers (MBIs), coverage start dates, names, dates of birth, and zip codes.

Once created, these unauthorized accounts may have allowed access to sensitive information such as provider details, mailing addresses, dates of service, diagnosis codes, services received, and plan premium information. At this time, CMS has not received reports of identity theft linked to the breach but is taking precautionary measures to mitigate any potential risks.

CMS Response and Actions Taken
CMS has taken action to protect impacted individuals and the integrity of its systems, including:

• Deactivating all fraudulently created Medicare.gov accounts.
• Disabling the ability to create new accounts from foreign IP addresses.
• Monitoring claims data for suspicious activity.
• Issuing new Medicare cards with updated MBIs to affected beneficiaries.

In addition to these measures, CMS is mailing notification letters to impacted individuals. These letters explain the incident, outline steps being taken to protect their data, and provide guidance on further actions beneficiaries can take to safeguard their personal information.

Implications for Skilled Nursing Facility (SNF) Providers
SNF billing departments should be aware that residents may receive new Medicare cards with updated MBIs. Providers should be alert for unexpected claim denials due to invalid MBIs and verify with residents or their responsible parties whether a new Medicare card has recently been issued.

What Beneficiaries Can Do
CMS advises beneficiaries to take the following steps:

• Review Medicare Summary Notices and Explanation of Benefits for unfamiliar charges or services.
• Report suspicious activity to 1-800-MEDICARE (1-800-633-4227) or the HHS Office of Inspector General at oig.hhs.gov/fraud/report-fraud.
• Obtain a free annual credit report through www.annualcreditreport.com or by calling 1-877-322-8228.
• Report any identity theft concerns to local law enforcement or the Federal Trade Commission at www.ftc.gov/idtheft or by calling 1-877-IDTHEFT (1-877-438-4338).

CMS emphasized that current Medicare benefits and coverage remain unaffected. For questions or additional information, beneficiaries are encouraged to contact 1-800-MEDICARE.
 
Staff contact: mcarland@mehca.org